When Cyber Threats Impact Food Safety

There are three things everyone must do in order to survive – breathe, drink, and eat. Air pollution may threaten our long-term health and pollutants may contaminate our water supply, but for most living in the developed world, the long-term health impact of these issues may not be felt for years, perhaps decades.

But what if our food is also unsafe? We are well past the dawn of the industrial era, and long past the times when people grew or killed all of their own food. Some people still rely on their own vegetable gardens and local family-run farms, but even those people usually have to buy some manufactured food items from the supermarket.

My own diet, I must confess, is mainly microwaveable meals, Japanese restaurant food, and Oreos. But if I had a healthier diet, manufactured food would still be unavoidable without very strict meal planning. Even the avocados and bananas I buy every week were grown and harvested in massive industrial facilities. My situation is similar to the situations most people reading this are in, both in the developed and developing worlds.

I think most adults have had the experience of eating something commercially grown or served in a perfectly respectable-looking restaurant that appeared to be safe and ending up giving them food poisoning. It probably doesn’t happen to you every year, but there have probably been at least one or two of those incidents in your life. If you’re lucky, you endure some nausea, vomiting, and diarrhea for a day or two, but then you’ve fine afterwards.

But even healthy people can be killed by food-related illness, even if they have no allergies and are otherwise healthy. What is the food and beverage (F&B) industry doing to prevent this from happening?

Assessing the Impact of Foodborne Illness in the U.S.

The Centers for Disease Control and Prevention (CDC) do important research on the impact of foodborne illness. According to the CDC, each year about one in six Americans, around 48 million people, gets sick from foodborne illness. Of those people, 128,000 are hospitalized, and 3,000 die. It’s a serious statistic that affects people of all socioeconomic levels and walks of life.

So what does this have to do with cybersecurity? Well, the industrial control systems (ICS) in our food manufacturing plants are vulnerable to cyberattack. Cyberattacks to food manufacturing can lead to unsafe levels of pathogens to our food, and many other problems that can make innocent-looking food dangerous. What if someone has a deadly peanut allergy, reads food labels very carefully, but then their ‘certified nut-free’ potato chips were mistakenly made with peanut oil rather than canola oil due to a cyberattack switching up the recipe or ingredients ordered? It seems far fetched, but many disasters seem implausible until they actually happen.

A concerning new report was recently released by the Food Protection and Defense Institute (FPDI), an organization of the University of Minnesota. The report, titled Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing (PDF), sheds light on the very much overlooked cyberattack risk to food manufacturing facilities across the United States.

ICSs have always been an attractive target for cyberwarfare groups and the like, but industries like the financial and energy sectors are usually aware of the threat and they’ve been making steady progress in improving their security. The same can’t be said about the current state of food manufacturing. According to Stephen Streng, a lead author of the report:

“The food industry has not been a target of costly cyberattacks like financial, energy, and healthcare companies have. However, as companies in those sectors learn to harden their defenses, the attackers will begin looking for easier victims. This report can help food companies learn about what could be coming their way and how to begin protecting themselves.”

The executive summary of the report states:

“The food industry is not exempt from… risk. It is already a frequent target of criminals, including transnational criminal organizations engaged in large-scale food fraud, counterfeiting, theft, and smuggling. The potential consequences of an attack on industry ICSs are just as significant, including massive financial losses for companies and/or harmed customers. And, food industry ICSs not only have many of the same vulnerabilities as other sectors, but many unique ones as well. These include those stemming from the many companies still using ICSs that were developed before security was a concern and can’t be updated.

Although other industries have been the primary target of attacks so far, it’s likely only a matter of time before the food industry is attacked as the others harden their defenses, and the threats seek easier prey.”

Industrial Control Systems: the Weak Link in the Food Production Chain?

The risk to food manufacturing ICSs has exploded in the past couple of decades. In 2011 alone, there were over 200 known cybersecurity vulnerabilities in current production systems. The number of known ICS vulnerabilities has increased every year since. Imagine how many zero-day vulnerabilities there may be, just waiting to be discovered by a potential cyber-criminal.

The nature of some of these ICS vulnerabilities are horrifying. Speaking personally, I’m worried about hard-coded passwords. Hard-coded means passwords that cannot be changed by users or administrators; these can only be changed by the software developer, if it’s possible at all. Cyber attackers likely have knowledge of what a lot of those passwords for specific ICS components are.

Why on earth would vendors and developers design their authentication systems like that? Because a lot of these systems were designed before there was much awareness of the risks of putting ICSs on the Internet. Our operating systems get frequently patched, and we replace our personal smartphones on average about once every two years. But the hardware, software, and networking appliances that food manufacturers use often stay in production and unchanged for years, or even decades.

Another problem that the FPDI recognizes is that food producers can’t just choose to avoid vendors whose products have a lot of known vulnerabilities, because they’re widespread among manufacturers and component types. It’s likely that all vendors used in food manufacturing ICSs have some critical vulnerabilities in their products.

The report goes into greater detail about the threat of legacy technology in our food production ICSs:

“With a closer look, it should be no surprise that so many vulnerabilities exist. Industrial control systems and the components that comprise them are designed for long service lives. Many systems still in use today were developed before cybersecurity was a concern. Thus, these systems were never designed to be secure from cyber attacks.

They use hardware lacking the processing power and/or memory to incorporate security modifications, and they use old protocols for transmitting data—such as Ethernet/IP, FTP, Modbus, Omron FINS, Siemens S7, and Telnet—that lack basic security features. Many of these protocols assume the trustworthiness of the sending source and/or the data being sent and do not use modern security features that authenticate the sender or integrity check the data.”

How did we get to this point? The report elaborates:

“Compounding the issue in the food industry is that—as identified by Food Protection and Defense Institute researchers during facility assessments—many food industry ICSs use outdated operating systems. These include Windows 98, IBM AS 400, and early Linux. These also didn’t have security adequately incorporated into their design. 

For both the OSs and data transmission protocols mentioned above, it’s like building a house without thinking to include door locks because no one had ever been robbed before. Most alarming, however, is how easily these ICSs using outdated protocols and OSs can be discovered on the Internet.”

When Air Gapped Systems Fail to Provide Security

For the past several years, plant operators have often assumed that their vulnerabilities are no big deal if they keep their ICSs off their enterprise networks and the public Internet. But air-gapped computers are difficult to update, and they become very lucrative cyberattack targets once they inadvertently get connected to networks again, or they become physically accessible to thousands of food production workers. As per the report:

“Plant operators trusted in the isolation of their systems from the enterprise business network and the public Internet. As long as they maintained the physical security of their production facility through locks, gates, and guards, the “air-gap” (the lack of wired or wireless connections to a network outside the facility) would protect them.

However, as many researchers have noted, the air-gap has long since proven to be more myth than reality. For instance, a truly air-gapped ICS could never be updated and would quickly become useless. Further, once computers showed up on the plant floor, the data they collected became too valuable to users throughout the company as well as to equipment vendors. Thus, the incentives to bridge the air-gap to access the data—with USB drives, wireless connections, and built-in vendor remote access— became far too great.”

And even more damningly….

“Finally, even truly air-gapped systems are vulnerable, as demonstrated by researchers who have published a steady stream of research detailing methods to manipulate and steal data from air-gapped systems using their acoustic, optical, magnetic, electromagnetic, thermal, and other properties.”

To sum up, cyber attacks to industrial control systems are a well reported phenomenon and a constant danger. In its FY 2016 report, the U.S. Department of Homeland Security (DHS) Industrial Control System Computer Emergency Response Team (ICS-CERT) stated that it responded to 290 attack incidents:

“Most of these (incidents) had no impact on services, but 27 affected critical systems or critical systems management. In addition, in an experiment using ICS honeypots, evidence of an attack was recorded only eighteen hours after the first honeypot went online. 

Over the next four weeks, thirty-nine attempts originating from fourteen countries were made to gain access to the systems and modify them. An example specific to the food industry is demonstrated by Ecolab. A company representative noted during a ProFood Tech presentation that the server for a new Ecolab clean-in-place optimization service was attacked 250,000 times in its first 30 days of operation.”

Ouch! It’s time for the food manufacturing industry to take the cyber threats to the stuff that we eat seriously. A catastrophic act of cyberwarfare on food manufacturing facilities could quite literally be fatal to an untold number of unsuspecting people.